A popular Chinese-made automotive GPS tracker used in 169 countries has "severe vulnerabilities," posing a potential danger to highway safety, national security, and supply chains, according to new research by a Boston-based cybersecurity firm.
U.S. cybersecurity expert Richard Clarke expressed concern about the Chinese regime.
“If China can remotely control vehicles in the United States, we have a problem,” Clarke said in the press release.
BitSight said the efforts to engage with the Shenzhen-based manufacturer MiCODUS to discuss the GPS tracker's vulnerabilities—beginning in September last year, with CISA joining it in late April—all failed.
‘Not Difficult to Exploit’GPS trackers are used globally to monitor vehicle fleets–from trucks to school buses to military vehicles—and protect them against theft. In addition to collecting data on vehicle location, they typically monitor other metrics such as driver behavior and fuel usage. Via remote access, many are wired to cut off a vehicle’s fuel or alarm, lock or unlock its doors, and more.
But the vulnerabilities in the affected device could also allow hackers to gain control of the vehicle. For example, a bad actor could “track individuals without their knowledge, remotely disable fleets of corporate supply and emergency vehicles, [and] abruptly stop civilian vehicles on dangerous highways,” according to the BitSight report.
“Unfortunately, these vulnerabilities are not difficult to exploit,” said Pedro Umbelino, the principal BitSight researcher on the project. He said multiple malicious scenarios are possible. For example, a victim's vehicle could be crippled, or a hacker could shut off an engine and demand a cryptocurrency ransom from victims to avoid calling a mechanic.
The researchers listed key users of the GPS trackers, including a Fortune 50 energy company, a national military in South America, a government in Western Europe, and a national military in Eastern Europe. The report didn’t provide entity names.
BitSight researchers urged users to immediately disable the MV720 GPS tracker, which is available on major online retailers and costs less than $25 per unit, until "a fix is made available by the company."
Clarke called the GPS device yet another example of a smart Chinese-made product “that is phoning home and could be used maliciously by the Chinese government."
While Clarke said he doubted the tracker was designed for that purpose, the danger is real because Chinese companies are obliged by law to follow the Chinese Communist Party's orders—which is why Washington has been seeking to minimize Chinese components in U.S. telecoms networks, and why some U.S. lawmakers are pushing for a ban on U.S. government purchases of Chinese drones.
“You just wonder, how often are we going to find these things that are infrastructure—where there’s a potential for Chinese abuse—and the users don’t know?” Clarke told The Associated Press.